Bug 205744

Summary: Make text track loading set same-origin fallback flag
Product: WebKit Reporter: Rob Buis <rbuis>
Component: New BugsAssignee: Rob Buis <rbuis>
Status: RESOLVED INVALID    
Severity: Normal CC: annevk, cdumez, commit-queue, darin, dbates, eric.carlson, ews-watchlist, glenn, japhet, jer.noble, mkwst, philipj, sergio, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 216672    
Bug Blocks:    
Attachments:
Description Flags
Patch none

Description Rob Buis 2020-01-03 12:16:43 PST
Make text track loading set same-origin fallback flag:
https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request
Comment 1 Rob Buis 2020-01-03 12:25:43 PST
Created attachment 386706 [details]
Patch
Comment 2 Rob Buis 2020-01-03 13:54:37 PST
Comment on attachment 386706 [details]
Patch

This is the second and final part of the split mentioned in https://bugs.webkit.org/show_bug.cgi?id=205326.
Comment 3 WebKit Commit Bot 2020-01-03 23:57:30 PST
Comment on attachment 386706 [details]
Patch

Clearing flags on attachment: 386706

Committed r254031: <https://trac.webkit.org/changeset/254031>
Comment 4 WebKit Commit Bot 2020-01-03 23:57:32 PST
All reviewed patches have been landed.  Closing bug.
Comment 5 Radar WebKit Bug Importer 2020-01-03 23:58:19 PST
<rdar://problem/58314610>
Comment 6 Jer Noble 2020-09-17 16:26:34 PDT
Reopening as this patch caused a regression where videos on jw.org fail to show subtitles.
Comment 7 Jer Noble 2020-09-17 16:33:19 PDT
jw.org has captions hosted on Akamai where the .vtt file has CORS headers but the .mp4 file does not. So captions work if `crossorigin=anonymous` is added, but that breaks video rendering.

Other browsers play captions fine without the `crossorigin` attribute, and there does not seem to be WPT tests that verify behavior for this scenario (!same origin, no-cors, headers present). Since this caused behavior regressions in the wild, and other browsers have not implemented this same behavior, we're reverting this on trunk for now.
Comment 8 Rob Buis 2020-12-22 01:32:05 PST
@Anne I implemented [1] but it seems to cause regressions in the wild, see comment 7. Do you know whether mozilla implemented this? Should the spec be changed?

[1] https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request
Comment 9 Anne van Kesteren 2021-01-06 03:13:51 PST
I guess other browsers do not use "same-origin" as the fallback and rather use "cors" always? And let credentials mode depend on the media element? It seems this is the only case where we pass the same-origin fallback flag and it might not be well tested.

I do hope they all enforce CORS as there would be a security problem otherwise.

`html/semantics/embedded-content/media-elements/track/track-element/track-data-url.html` does not really seem to test this as data URLs are considered same-origin. That does seem like a useful template to be able to add some cross-origin tests, though testing the credentials part might require some server-side logic as well.

I filed https://github.com/whatwg/html/issues/6267 to track this standards-wise.
Comment 10 youenn fablet 2022-04-22 03:23:34 PDT
I validated Chrome is using same origin as default.
Some time has passed and identified breaking websites have been updated.
Let's try to reland this behavior in https://bugs.webkit.org/show_bug.cgi?id=239381.